Latest ads
-
🚀 GOOGLE AI PRO 18 MONTHS ACTIVATION 🚀- sayuru bandara
- Updated:
-
Pure VPN - Up to 27 Months- vgp
- Updated:
-
Gemini AI PRO 18 months Offer- Hawaka
- Updated:
Loku hack ekak yanawa
- Thread starter Emios
- Start date
We are using TanStack Query
npm team eke kello innawa neda wadipura
npm is just one package manager.. use something else?
------ Post added on May 12, 2026 at 8:02 PM
npm is just one package manager.. use something else?
------ Post added on May 12, 2026 at 8:02 PM
මම cybersecurity සහා computer science ගැන දන්නවා, එක නිසා තෙරුනාබොරුවට හිනා උනාට උබට තේරුනෙත් නෑ නේද?
මම cybersecurity සහා computer science ගැන දන්නවා, එක නිසා තෙරුනා
තෝයි මායි දන්න cybersecurity සහ computer science
තේරුනේ නැත්තං ලැජ්ජ වෙන්නෙ නැතුව තේරුනේ නෑ කියහං මම වගේ
On 2026-05-11 between 19:20 and 19:26 UTC, an attacker published 84 malicious versions across 42 @tanstack/* npm packages by combining: the pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. No npm tokens were stolen and the npm publish workflow itself was not compromised.
The malicious versions were detected publicly within 20 minutes by an external researcher ashishkurmi working for stepsecurity. All affected versions have been deprecated; npm security has been engaged to pull tarballs from the registry. We have no evidence of npm credentials being stolen, but we strongly recommend that anyone who installed an affected version on 2026-05-11 rotate AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials reachable from the install host.
Tracking issues: https://github.com/TanStack/router/issues/7383
The malicious versions were detected publicly within 20 minutes by an external researcher ashishkurmi working for stepsecurity. All affected versions have been deprecated; npm security has been engaged to pull tarballs from the registry. We have no evidence of npm credentials being stolen, but we strongly recommend that anyone who installed an affected version on 2026-05-11 rotate AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials reachable from the install host.
Tracking issues: https://github.com/TanStack/router/issues/7383
Packages affected
42 packages, 84 versions (two per package, published roughly 6 minutes apart). See the tracking issue for the full table. Confirmed-clean families: @tanstack/query*, @tanstack/table*, @tanstack/form*, @tanstack/virtual*, @tanstack/store, @tanstack/start (the meta-package, not @tanstack/start-*).What the malware does
When a developer or CI environment runs npm install, pnpm install, or yarn install against any affected version, npm resolves the malicious optionalDependencies entry, fetches the orphan payload commit from the fork network, runs its prepare lifecycle script, and executes a ~2.3 MB obfuscated router_init.js smuggled into the affected tarball. The script:- Harvests credentials from common locations: AWS IMDS / Secrets Manager, GCP metadata, Kubernetes service-account tokens, Vault tokens, ~/.npmrc, GitHub tokens (env, gh CLI, .git-credentials), SSH private keys
- Exfiltrates over the Session/Oxen messenger file-upload network (filev2.getsession.org, seed{1,2,3}.getsession.org) — end-to-end encrypted with no attacker-controlled C2, so blocking by IP/domain is the only network mitigation
- Self-propagates: enumerates other packages the victim maintains via registry.npmjs.org/-/v1/search?text=maintainer:<user> and republishes them with the same injection
So what should we do? I just finished the MVP of a product using Nextjs, supabase and Tanstack Query
